Skip to content

add option to disable or restrict cors endpoint #4087

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
KristjanESPERANTO merged 2 commits into from
Apr 4, 2026
Merged

add option to disable or restrict cors endpoint #4087

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bb0993d
add option to disable or restrict cors endpoint
khassel Apr 3, 2026
1053415
use global.config, fix return
khassel Apr 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions js/defaults.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ const defaults = {
basePath: "/",
electronOptions: {},
ipWhitelist: ["127.0.0.1", "::ffff:127.0.0.1", "::1"],
cors: "disabled", // or "allowAll" or "allowWhitelist"
corsDomainWhitelist: [], // example: ["api.mapbox.com"]

language: "en",
logLevel: ["INFO", "LOG", "WARN", "ERROR"],
Expand Down
5 changes: 5 additions & 0 deletions js/server_functions.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ async function isPrivateTarget (url) {
const hostname = parsed.hostname.replace(/^\[|\]$/g, "");

if (hostname.toLowerCase() === "localhost") return true;
if (global.config.cors === "allowWhitelist" && !global.config.corsDomainWhitelist.includes(hostname.toLowerCase())) return true;

try {
const results = await dns.lookup(hostname, { all: true });
Expand Down Expand Up @@ -68,6 +69,10 @@ function replaceSecretPlaceholder (input) {
* @returns {Promise<void>} A promise that resolves when the response is sent
*/
async function cors (req, res) {
if (global.config.cors === "disabled") {
Log.error("CORS is disabled, you need to enable it in `config.js` by setting `cors` to `allowAll` or `allowWhitelist`");
return res.status(403).json({ error: "CORS proxy is disabled" });
}
try {
const urlRegEx = "url=(.+?)$";
let url;
Expand Down
19 changes: 19 additions & 0 deletions tests/unit/functions/server_functions_spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ describe("server_functions tests", () => {
let fetchMock;

beforeEach(() => {
global.config = { cors: "allowAll" };
fetchResponseHeadersGet = vi.fn(() => {});
fetchResponseArrayBuffer = vi.fn(() => {});
fetchResponse = {
Expand Down Expand Up @@ -263,4 +264,22 @@ describe("server_functions tests", () => {
expect(response.json).toHaveBeenCalledWith({ error: "Forbidden: private or reserved addresses are not allowed" });
});
});

describe("The isPrivateTarget method with allowWhitelist", () => {
beforeEach(() => {
mockLookup.mockReset();
});

it("Block public unicast IPs if not whitelistet", async () => {
global.config = { cors: "allowWhitelist", corsDomainWhitelist: [] };
mockLookup.mockResolvedValue([{ address: "93.184.216.34", family: 4 }]);
expect(await isPrivateTarget("http://example.com/api")).toBe(true);
});

it("Allow public unicast IPs if whitelistet", async () => {
global.config = { cors: "allowWhitelist", corsDomainWhitelist: ["example.com"] };
mockLookup.mockResolvedValue([{ address: "93.184.216.34", family: 4 }]);
expect(await isPrivateTarget("http://example.com/api")).toBe(false);
});
});
});
Loading